Calm LanternA calm way to check messages, links, and phone numbers.Sign in
Home

Security

Version 1.0Effective April 9, 2026

Our security posture

Calm Lantern is a small product run with consumer privacy in mind. The following describes what we do today.

Transport security

  • All connections to calmlantern.com use HTTPS with automatically rotated TLS certificates.
  • HTTP connections are redirected to HTTPS.
  • Strict-Transport-Security header is set on all responses.

Authentication

  • Passwordless sign-in via one-time magic links sent to your email. No passwords to leak.
  • Session cookies are HTTP-only, Secure, and SameSite=Lax.
  • Sessions expire after 30 days of inactivity.
  • Rate limits on sign-in link requests prevent enumeration and abuse.

Payment data

  • All payment processing is handled by Stripe. We never see or store your full credit card number.
  • PCI compliance is provided by Stripe.

Data at rest

  • Our database runs in an isolated network and is not exposed to the public internet.
  • Daily encrypted backups are retained for 14 days.
  • IP addresses are stored only as salted SHA-256 hashes.
  • For users who have not opted in to longer retention, we apply automated PII redaction (SSN, credit card, account numbers, emails, phone numbers) before persisting check content.

Data in transit (internal)

  • Internal services communicate over a private Docker network.
  • Database connections use credentials managed via environment variables and never committed to source control.

Webhook integrity

  • Stripe webhooks are signature-verified before processing.
  • Twilio webhooks are signature-verified before processing.

LLM safety

  • We cap our daily LLM spend with a hard limit. If a single day's usage would exceed it, we return an error rather than silently degrade — we never want to give you a worse answer without telling you.
  • We do not send your data to multiple LLM providers simultaneously.
  • We never let the LLM use the words "safe" or "legitimate."

Operational

  • Code review on every change before deployment.
  • Pre-deployment quality gate runs an evaluation suite of known scam and known legit examples.
  • We monitor application errors and uptime.

What we do not yet have

We are honest about our maturity. As of v1 we do not have:

  • A SOC 2 or ISO 27001 audit.
  • A formal bug bounty program (but please report — see below).
  • A 24/7 on-call rotation.
  • HIPAA or PCI Level 1 certification.

We will pursue these as the product matures and the user base grows.

Reporting a vulnerability

If you find a security issue, please email security@calmlantern.com. We commit to:

  1. Acknowledging your report within 2 business days.
  2. Working with you in good faith to verify and fix the issue.
  3. Crediting you publicly, if you wish, after the issue is resolved.

Please give us a reasonable time to fix issues before disclosing them publicly. We do not currently offer monetary bounties but are grateful for responsible disclosure.

Contact

security@calmlantern.com